How to create reverse dynamic ssh port forwarding












4














I'm trying to set up an ssh tunnel layout where:




  1. client A (not ssh-server enabled) initiates ssh connection to server S

  2. socks server is opened on server S:yyyy that tunnels all data via client A

  3. client B connects socks server on server S, and tcp data routes via client A to the Internet


A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server. That would achieve the goal. But that's not as clean as using just ssh.



Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D from S to A. Somewhat confusing, and not sure if possible.










share|improve this question
























  • Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
    – mr.spuratic
    Jan 15 '15 at 14:43
















4














I'm trying to set up an ssh tunnel layout where:




  1. client A (not ssh-server enabled) initiates ssh connection to server S

  2. socks server is opened on server S:yyyy that tunnels all data via client A

  3. client B connects socks server on server S, and tcp data routes via client A to the Internet


A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server. That would achieve the goal. But that's not as clean as using just ssh.



Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D from S to A. Somewhat confusing, and not sure if possible.










share|improve this question
























  • Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
    – mr.spuratic
    Jan 15 '15 at 14:43














4












4








4


4





I'm trying to set up an ssh tunnel layout where:




  1. client A (not ssh-server enabled) initiates ssh connection to server S

  2. socks server is opened on server S:yyyy that tunnels all data via client A

  3. client B connects socks server on server S, and tcp data routes via client A to the Internet


A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server. That would achieve the goal. But that's not as clean as using just ssh.



Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D from S to A. Somewhat confusing, and not sure if possible.










share|improve this question















I'm trying to set up an ssh tunnel layout where:




  1. client A (not ssh-server enabled) initiates ssh connection to server S

  2. socks server is opened on server S:yyyy that tunnels all data via client A

  3. client B connects socks server on server S, and tcp data routes via client A to the Internet


A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server. That would achieve the goal. But that's not as clean as using just ssh.



Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D from S to A. Somewhat confusing, and not sure if possible.







ssh ssh-tunneling port-forwarding






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 15 '15 at 14:54









HalosGhost

3,70592235




3,70592235










asked Jan 15 '15 at 14:29









azv

12112




12112












  • Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
    – mr.spuratic
    Jan 15 '15 at 14:43


















  • Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
    – mr.spuratic
    Jan 15 '15 at 14:43
















Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43




Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43










4 Answers
4






active

oldest

votes


















6














I was just searching for this and came across the same (or similar) question on stack overflow.



On client A ssh -R *:24680:localhost:12345 serverS and then (still on client A) ssh -D 12345 localhost [1]



You need to the * bit so it will bind to server S's public IP address and not just localhost.



Then on client B simply connect to the socks server at serverS:24680





[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.






share|improve this answer























  • It works, great
    – diyism
    Dec 16 '15 at 4:57



















5














OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.



ssh -R 1080 server





share|improve this answer





















  • But you still need the SOCKS server, otherwise you just have a reverse tunnel...
    – David Tonhofer
    Dec 19 '18 at 19:54



















0














This is quite straightforward.



On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.



 service ssh start


On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.



 ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>


On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.



 curl --socks5 127.0.0.1:2222 https://www.google.com





share|improve this answer





















  • Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
    – AlexandreH
    Oct 23 '17 at 22:28










  • Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
    – David Tonhofer
    Dec 19 '18 at 20:01





















0














Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...



SSH reverse tunnel with SOCKS proxying



You will see two processes on MACHINE_B:



The SSH client connection to MACHINE_A (olive):



ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a


The SSH client working as SOCKS server on port 4444 (dark green):



ssh -D localhost:4444 -N user_c@localhost


And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).



The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f179270%2fhow-to-create-reverse-dynamic-ssh-port-forwarding%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6














    I was just searching for this and came across the same (or similar) question on stack overflow.



    On client A ssh -R *:24680:localhost:12345 serverS and then (still on client A) ssh -D 12345 localhost [1]



    You need to the * bit so it will bind to server S's public IP address and not just localhost.



    Then on client B simply connect to the socks server at serverS:24680





    [1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.






    share|improve this answer























    • It works, great
      – diyism
      Dec 16 '15 at 4:57
















    6














    I was just searching for this and came across the same (or similar) question on stack overflow.



    On client A ssh -R *:24680:localhost:12345 serverS and then (still on client A) ssh -D 12345 localhost [1]



    You need to the * bit so it will bind to server S's public IP address and not just localhost.



    Then on client B simply connect to the socks server at serverS:24680





    [1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.






    share|improve this answer























    • It works, great
      – diyism
      Dec 16 '15 at 4:57














    6












    6








    6






    I was just searching for this and came across the same (or similar) question on stack overflow.



    On client A ssh -R *:24680:localhost:12345 serverS and then (still on client A) ssh -D 12345 localhost [1]



    You need to the * bit so it will bind to server S's public IP address and not just localhost.



    Then on client B simply connect to the socks server at serverS:24680





    [1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.






    share|improve this answer














    I was just searching for this and came across the same (or similar) question on stack overflow.



    On client A ssh -R *:24680:localhost:12345 serverS and then (still on client A) ssh -D 12345 localhost [1]



    You need to the * bit so it will bind to server S's public IP address and not just localhost.



    Then on client B simply connect to the socks server at serverS:24680





    [1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Mar 20 '17 at 10:18









    Community

    1




    1










    answered Apr 29 '15 at 3:19









    Hybrid

    16114




    16114












    • It works, great
      – diyism
      Dec 16 '15 at 4:57


















    • It works, great
      – diyism
      Dec 16 '15 at 4:57
















    It works, great
    – diyism
    Dec 16 '15 at 4:57




    It works, great
    – diyism
    Dec 16 '15 at 4:57













    5














    OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.



    ssh -R 1080 server





    share|improve this answer





















    • But you still need the SOCKS server, otherwise you just have a reverse tunnel...
      – David Tonhofer
      Dec 19 '18 at 19:54
















    5














    OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.



    ssh -R 1080 server





    share|improve this answer





















    • But you still need the SOCKS server, otherwise you just have a reverse tunnel...
      – David Tonhofer
      Dec 19 '18 at 19:54














    5












    5








    5






    OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.



    ssh -R 1080 server





    share|improve this answer












    OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.



    ssh -R 1080 server






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 7 '17 at 17:39









    Elad Tsur

    5111




    5111












    • But you still need the SOCKS server, otherwise you just have a reverse tunnel...
      – David Tonhofer
      Dec 19 '18 at 19:54


















    • But you still need the SOCKS server, otherwise you just have a reverse tunnel...
      – David Tonhofer
      Dec 19 '18 at 19:54
















    But you still need the SOCKS server, otherwise you just have a reverse tunnel...
    – David Tonhofer
    Dec 19 '18 at 19:54




    But you still need the SOCKS server, otherwise you just have a reverse tunnel...
    – David Tonhofer
    Dec 19 '18 at 19:54











    0














    This is quite straightforward.



    On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.



     service ssh start


    On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.



     ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
    ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>


    On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.



     curl --socks5 127.0.0.1:2222 https://www.google.com





    share|improve this answer





















    • Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
      – AlexandreH
      Oct 23 '17 at 22:28










    • Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
      – David Tonhofer
      Dec 19 '18 at 20:01


















    0














    This is quite straightforward.



    On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.



     service ssh start


    On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.



     ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
    ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>


    On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.



     curl --socks5 127.0.0.1:2222 https://www.google.com





    share|improve this answer





















    • Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
      – AlexandreH
      Oct 23 '17 at 22:28










    • Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
      – David Tonhofer
      Dec 19 '18 at 20:01
















    0












    0








    0






    This is quite straightforward.



    On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.



     service ssh start


    On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.



     ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
    ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>


    On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.



     curl --socks5 127.0.0.1:2222 https://www.google.com





    share|improve this answer












    This is quite straightforward.



    On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.



     service ssh start


    On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.



     ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
    ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>


    On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.



     curl --socks5 127.0.0.1:2222 https://www.google.com






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 6 '16 at 2:15









    John

    223210




    223210












    • Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
      – AlexandreH
      Oct 23 '17 at 22:28










    • Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
      – David Tonhofer
      Dec 19 '18 at 20:01




















    • Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
      – AlexandreH
      Oct 23 '17 at 22:28










    • Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
      – David Tonhofer
      Dec 19 '18 at 20:01


















    Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
    – AlexandreH
    Oct 23 '17 at 22:28




    Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching curlon httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D.
    – AlexandreH
    Oct 23 '17 at 22:28












    Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
    – David Tonhofer
    Dec 19 '18 at 20:01






    Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
    – David Tonhofer
    Dec 19 '18 at 20:01













    0














    Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...



    SSH reverse tunnel with SOCKS proxying



    You will see two processes on MACHINE_B:



    The SSH client connection to MACHINE_A (olive):



    ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a


    The SSH client working as SOCKS server on port 4444 (dark green):



    ssh -D localhost:4444 -N user_c@localhost


    And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).



    The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...






    share|improve this answer


























      0














      Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...



      SSH reverse tunnel with SOCKS proxying



      You will see two processes on MACHINE_B:



      The SSH client connection to MACHINE_A (olive):



      ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a


      The SSH client working as SOCKS server on port 4444 (dark green):



      ssh -D localhost:4444 -N user_c@localhost


      And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).



      The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...






      share|improve this answer
























        0












        0








        0






        Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...



        SSH reverse tunnel with SOCKS proxying



        You will see two processes on MACHINE_B:



        The SSH client connection to MACHINE_A (olive):



        ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a


        The SSH client working as SOCKS server on port 4444 (dark green):



        ssh -D localhost:4444 -N user_c@localhost


        And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).



        The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...






        share|improve this answer












        Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...



        SSH reverse tunnel with SOCKS proxying



        You will see two processes on MACHINE_B:



        The SSH client connection to MACHINE_A (olive):



        ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a


        The SSH client working as SOCKS server on port 4444 (dark green):



        ssh -D localhost:4444 -N user_c@localhost


        And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).



        The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 19 '18 at 20:32









        David Tonhofer

        486416




        486416






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f179270%2fhow-to-create-reverse-dynamic-ssh-port-forwarding%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Morgemoulin

            Scott Moir

            Souastre